Report Exposes How Kenya Lost Ksh29.9 billion to Hackers

A new report has exposed the growing financial impact of cybercrime on Kenya, revealing that the country lost an estimated $0.23 billion (approximately Ksh29.9 billion) to hackers and cyber incidents. The Africa Cybersecurity Report—Kenya 2024/2025, produced by the Africa Cyber Immersion Centre (ACIC) in partnership with various collaborators, highlights the nation’s rapid digital transformation and the evolving cyber threats that accompany it.

According to the report, Africa suffers an estimated $5 billion in annual cybercrime losses, representing 0.18% of the continent’s GDP. Despite Kenya maintaining a 3:1 spend-to-loss ratio, which stands as the benchmark for resilience efficiency in Africa, the country still lost $0.23 billion in 2024/2025. This imbalance underscores the magnitude of financial exposure even in nations that invest heavily in cybersecurity.

Kenya and Nigeria account for the majority of cybersecurity spending in Africa

Across the continent, cybersecurity spending reached $15.3 billion, with Kenya and Nigeria jointly accounting for nearly 14% of the total. Their advanced fintech and mobile-money ecosystems make both countries attractive targets for cybercriminals.

“Across the continent, total cybersecurity expenditure reached USD 15.3 billion (0.55 % of GDP) while cybercrime losses totalled USD 5 billion (0.18 % of GDP). Despite higher incident volumes, regulatory action, improved SOC coverage, and maturing governance frameworks show measurable progress in resilience capability. This establishes a 3:1 spend-to-loss ratio, Africa’s benchmark for resilience efficiency.”

The losses are particularly concentrated in highly digitized industries, with financial services, government and public sector, and telecommunications emerging as the most frequently targeted sectors.

How the money is lost

The report outlines a wide range of threat scenarios contributing to financial losses. While fraud-related attacks—including payment fraud, email fraud, and online fraud—are the most common, ransomware and third-party outages cause the most serious financial damage per incident.

Ransomware and supply-chain attacks represent only 9% of all incidents combined, yet they account for 25% of the total loss magnitude. Ransomware-related data encryption alone contributes 18% of the overall losses, with downtime and system recovery representing the bulk of the cost.

Operational outages caused by internal system errors and misconfigurations now rank among the top three causes of financial loss, highlighting significant gaps in redundancy and preparedness.

Identity-based attacks—such as phishing, credential theft, and Business Email Compromise (BEC)—make up 48% of all incidents. These vectors are frequently linked to high-value fraud within Kenya’s financial sector.

The report cites specific publicized cases from Kenya in 2025, including a compromise of a digital payments portal that resulted in the theft of Ksh49 million after attackers disabled OTP notifications and funneled funds into various mobile wallets, bank accounts, and till numbers.

Also cited is the banking fraud incident in which a syndicate stole more than Ksh6 million from a commercial bank.

The report notes that AI is expanding both defensive capabilities and attack sophistication. Cybercriminals are using AI-powered tools to automate intrusions, create more convincing deepfakes, impersonate voices for social engineering, and exploit vulnerabilities more efficiently.

Kenya’s digital infrastructure remains significantly exposed, with many devices accessible through open ports on Telnet, FTP, RDP, and other remote-access services. Telnet and FTP are particularly risky because they lack encryption.

Additionally, 37% of Kenyan organizations surveyed reported experiencing a cyber incident in the past year, primarily due to phishing and ransomware.

Shift from risk management to cyber resilience

The report calls for the urgent need for organizations to move beyond traditional risk-management frameworks and begin pursuing measurable cyber resilience.

This shift has been made more pressing by the increasing integration of AI not only within modern business processes but also within the attack techniques employed by cybercriminals.

To curb rising cyber losses, the report calls for a shift toward resilience engineering, with a focus on mandatory recovery and continuity validation. This includes routine recovery testing and the adoption of immutable backups to ensure faster restoration after an attack.

“Cyber resilience is now a business and continuity imperative. Boards must demand strategies, evidence-based reporting, crisis readiness, and measurable resilience outcomes,” the report states.

Organizations are also encouraged to strengthen identity assurance, enhance data integrity safeguards, and enforce stricter oversight of third-party service providers. By aligning continuity planning with cyber response, Kenya can reduce both the likelihood and severity of cyber incidents.

Ultimately, the report emphasizes that cybersecurity should no longer be viewed as a cost burden but as a strategic investment essential for safeguarding Kenya’s rapidly digitizing economy